Healthcare Cybersecurity Weekly Briefing 9-1-2017

Make no mistake, those vast databases give healthcare providers a comprehensive view of their patients’ health, an advantage that easily could be lifesaving in an emergency. The down side is those databases put our most private information at risk for exposure. Hospitals, insurers, doctors and government agencies didn’t pay “much attention to privacy and security” in their rapid efforts to digitize a lot of health data and aggregate it electronically[.]

In one campaign the Word document purported to come from a UK-based hospital’s Director of Information Management and Technology. In the other, the Word doc billed itself as coming from a UK-based aquarium with international locations – likely SEA LIFE, an aquarium with locations in Birmingham, Brighton, and Manchester, with additional locations in the U.S., Australia, and China.

As scary as these examples are, the solution isn’t to stop seeking medical treatment. Patients can take some steps to protect their data and their privacy. One thing to do is a reference check on your insurer, hospital or health care provider by visiting the Office of Civil Rights’ list of providers that have experienced breaches, sometimes referred to as the “Wall of Shame.” Since July 1 alone, 35 breaches have been reported and are under investigation affecting more than 850,000 individuals.

Other areas growing quickly include disaster recovery and network operations. Like cybersecurity, these are important areas and require specialized skills that are not necessarily core to the business, Wagner said. Outsourcing is becoming more attractive to all organizations, the study said, but large organizations are growing IT outsourcing budgets the fastest. At the median, large organizations have increased the percentage of their IT budgets spent on outsourcing from 6.3 percent to 8.7 percent.

And despite the omnibus HIPAA Final Rule on Privacy & Security that HHS posted in Jan. 2013, which brought new safeguards to protect ePHI, healthcare CIOs and CISOs must be constantly on the ball, making adjustments to their cybersecurity plans to ensure they don’t run afoul of HIPAA rules. That is increasingly difficult in the post-omnibus era of more sophisticated attacks, most notably ransomware, ransomworms and whatever comes next. Take the latest ransomware variant Defray, for instance, which is specifically targeting healthcare and education sectors.

Cybersecurity experts have identified a new ransomware strain that is targeting healthcare organizations, FierceHealthcare reports. The virus, dubbed Defray, spreads via a Microsoft Word attachment in emails sent to potential victims. The messages are customized to appear to come from a trusted source. […] In one example of the personalized approach, an attachment titled Patient Report used the logo of a hospital in the United Kingdom and claimed to be from the hospital’s director of information management and technology. The ransomware demands $5,000 in bitcoin to release encrypted files.

The update will require patients to visit a clinic where doctors will put the pacemakers in backup mode while the firmware is being patched. The Abbott letter said that, for certain patients, the update should be performed “in a facility where temporary pacing and pacemaker generator change are readily available, due to the very small estimated risk of firmware update malfunction.” An advisory issued by the Food and Drug Administration said 465,000 pacemakers in the US alone are affected. The number of pacemakers in other countries wasn’t immediately available.

Securing the IoT in a healthcare environment requires communication and understanding. Executive leadership must understand that with these tremendous advantages comes additional responsibility. Agreement must be reached that any device requiring connectivity be vetted prior to purchase. Baseline requirements should be established around antivirus, patching and routing. In addition, departments that have traditionally run their own shops now need to partner with IT in discussions regarding purchasing, and later, deploying connected devices.

Another issue within the industry is that technology isn’t implemented as quickly as it becomes available, with health care IT facing particular cultural challenges. “In many hospitals, there has been a common culture in which doctors’ preferences have been heavily weighted, making it difficult for IT to implement change,” Mellen says, adding that the culture is changing. “Cybersecurity initiatives that had once been blocked due to ‘possible outages that could impact patient safety,’ are now being welcomed in order to improve patient safety.”

Want more cybersecurity information?

We may also occasionally send you information about Critical Informatics products and solutions; you can unsubscribe at anytime if desired.Leave this field empty if you're human:

About Critical Informatics

We are world-class information security professionals providing Managed Detection and Response services to help you be secure, compliant, and resilient against threats to the life safety, life-sustaining, and quality-of-life systems and services you provide to clients, customers, constituents, and communities.